Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-cxf-soap) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-cxf-soap) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-cxf-soap) 4.19.0 before 4.21.0

Description:

Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') 
vulnerability in Apache Camel CXF SOAP component.

The camel-cxf producer selects which SOAP operation to invoke on the backend 
service from the operationName (and operationNamespace) Exchange header, whose 
constant values (CxfConstants.OPERATION_NAME / OPERATION_NAMESPACE) were the 
plain strings operationName / operationNamespace. Because these names do not 
start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks 
only the Camel header namespace on the HTTP boundary - let them pass from an 
inbound HTTP request straight into the Exchange. In a route that bridges an 
HTTP consumer (for example platform-http) into a cxf: producer, any HTTP client 
could therefore set the operationName header and have CxfProducer resolve and 
invoke a different WSDL operation than the route intended - for example 
replacing a read operation with a destructive one - against the backend SOAP 
service (a confused-deputy redirection). The constant is defined in the shared 
camel-cxf-common module, so the same non-prefixed names also applied to 
camel-cxfrs. No credentials are required when the bridging consumer is 
unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If 
users are on the 4.14.x LTS releases stream, then they are suggested to upgrade 
to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. After upgrading, the operation-selection headers are 
named CamelCxfOperationName / CamelCxfOperationNamespace and are filtered at 
transport boundaries; see the 4.21 upgrade guide for the cross-transport 
carrier-header pattern. For deployments that cannot upgrade immediately, do not 
select the CXF operation from untrusted input: strip the operationName and 
operationNamespace headers from any untrusted ingress before the cxf: producer 
and set the operation from a trusted source in the route.

Credit:

Yu Bao from Paypal (finder)
Andrea Cosentino (remediation developer)

References:

https://camel.apache.org/security/CVE-2026-46592.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46592

Reply via email to